b'NATIONAL CREDIT UNION ADMINISTRATION\n\n      OFFICE OF INSPECTOR GENERAL\n\n\n\n\n                 YEAR 2000\n\n             PROGRESS OF\n       HIGH RISK CREDIT UNIONS\n\n       OIG-998      October 27, 1999\n\n\n\n\n          _______________________\n\n            FRANK THOMAS\n          INSPECTOR GENERAL\n\x0c                       TABLE OF CONTENTS\n\n                                                              PAGE\n\nINTRODUCTION                                                   1\n\nBACKGROUND                                                     1\n\nOBJECTIVES                                                     2\n\nSCOPE AND METHODOLOGY                                          2\n\nOBSERVATIONS                                                   3\n     Follow up at Credit Unions rated Unsatisfactory or        4\n          Needs Improvement - High Risk\n    Follow up at Credit Unions rated Satisfactory -Low Risk    6\n    Business Resumption Contingency Plans                      7\n\n\nMATTERS FOR CONSIDERATION                                      8\n\n\n\n\n                                       ii\n\x0c                            Year 2000 Progress of High Risk Credit Unions\n\n\n\n\n   Introduction            This is the fourth of the Office of Inspector General\xe2\x80\x99s (OIG) series of\n                           reports addressing the Year 2000 (Y2K) computer problem as it relates\nto the National Credit Union Administration (NCUA) and federally insured credit unions\n(FICUs). This report primarily addresses NCUA\xe2\x80\x99s follow-up of high risk credit unions. This\nreport also reviews the justification for assigning low risk ratings to a small sample of credit\nunions.\n\nBecause of the time critical nature of the Y2K problem, and in order to provide the NCUA Board\nwith timely information, we are not making formal recommendations or asking for a written\nresponse. Rather, we are offering certain suggested actions as matters for consideration by the\nNCUA Board and agency management in this management report.\n\nOther Y2K reviews in process include: Y2K readiness status of credit union vendors; and\nliquidity status of natural person credit unions.\n\n\n                            Internally, NCUA Y2K risk ratings for each credit union are\n      Background            determined by the examiner as of the most recent on-site contact.\n                            Internal risk ratings are high, medium, and low based on examiner\njudgment of the credit union\xe2\x80\x99s progress. A high rating is assigned to credit unions not\nprogressing towards compliance. A low rating is assigned to credit unions clearly demonstrating\ntheir progress towards compliance. A medium rating is assigned to credit unions that fall\nsomewhere between the high and low ratings. A medium rating indicates a need for supervisory\nattention but not to the degree that necessitates NCUA\xe2\x80\x99s intervention. The NCUA has provided\nguidance to examiners to ensure that timely contacts are made at credit unions to address any\nreadiness problems. Guidance was provided to examiners in June 1999 to clarify the criteria for\nassignment of high, medium, and low ratings and supervision follow-up.\n\nNCUA reports credit union progress in preparing for Y2K operations to Congress using the\nFederal Financial Institution Examination Council (FFIEC) categories of unsatisfactory, needs\nimprovement, and satisfactory. Prior to June 1999, the risk ratings reported to Congress were\nnot consistent with the internal risk ratings assigned by the examiners. For example, the\nunsatisfactory category reported to Congress only included those credit unions under\nadministrative \xe2\x80\x9ccompel\xe2\x80\x9d actions. However, starting in June 1999, the risk ratings reported to\nCongress (unsatisfactory, needs improvement, and satisfactory) now match the internal ratings of\nhigh, medium, and low respectively.\n\nIn an August 28, 1998 letter to the NCUA Inspector General, the House Committee on Banking\nand Financial Services requested information regarding OIG Y2K review activities. The OIG\ndiscussed the possibility of reviewing several areas of NCUA Y2K activities including consistent\nreporting to Congress of credit union readiness with committee staff. The OIG and committee\nstaff were interested to determine if credit unions particularly in the unsatisfactory and needs\n\n\n\n\n                                                 1\n\x0c                            Year 2000 Progress of High Risk Credit Unions\n\n\nimprovement reporting categories, were receiving appropriate and timely follow-up to ensure\nsatisfactory progress.\n\n\n\n     Objectives            Our specific review objectives were: (a) to evaluate whether credit\n                           unions rated unsatisfactory (credit unions under administrative actions)\nand those rated needs improvement (examiner rated high risk - not progressing satisfactorily) are\nreceiving appropriate and timely follow-up; and (b) to determine if high risk credit unions have\nadequate Y2K contingency plans. In addition, we wanted to review a small sample of credit\nunions rated satisfactory (low and medium risk rated credit unions) to determine if the rating\nappeared justified based upon NCUA\xe2\x80\x99s criteria.\n\n\n Scope and Methodology             We reviewed documentation for a sample of credit unions for\n                                   supervision and follow up contacts from two of six NCUA\nregions to determine adequacy and timeliness of follow up. We also reviewed this sample of\ncredit unions to determine the adequacy of contingency plans in accordance with agency\nguidance. Our March 31, 1999 review universe included 152 high risk credit unions (53\nunsatisfactory and 99 needs improvement). The review was performed in Regions I and III and\nincluded a sample of 33 credit unions with unsatisfactory and needs improvement ratings. We\nbegan our review in April 1999 and the fieldwork was completed in August 1999. Because of the\nlimited review scope and our desire to provide NCUA management with timely information, we\nfollowed the President\xe2\x80\x99s Council on Integrity and Efficiency Quality Standards for Inspections\nwith the exception of the standards for fraud and other illegal acts and follow-up.\n\nOur review included documentation for natural person credit unions. We reviewed\ndocumentation to determine if contact occurred in accordance with agency guidance; and that the\ncontact occurred in a timely manner. We reviewed documentation for nine credit unions rated\nsatisfactory to determine consistency of rating assignment.\n\nOur review was designed to answer the following questions.\nA. NCUA follow-up:\n       \xe2\x80\xa2 Why was credit union assigned the rating and did rating meet agency criteria for\n           rating.\n       \xe2\x80\xa2 What type of contact.\n       \xe2\x80\xa2 Was contact timely.\n       \xe2\x80\xa2 Was contact performed in accordance with plans and agency guidance.\n       \xe2\x80\xa2 If contact was not performed why not.\n       \xe2\x80\xa2 What are plans for next contact and are the plans reasonable.\n       \xe2\x80\xa2 How was contact documented.\n       \xe2\x80\xa2 Can credit union meet current and future milestones. If not what are credit union and\n          agency plans.\n       \xe2\x80\xa2 If administrative action assigned, can credit union reasonably comply. If not what\n          are alternative plans by the credit union and agency.\n       \xe2\x80\xa2 What quality control/review performed prior to and for the contact.\n\n\n                                                 2\n\x0c                            Year 2000 Progress of High Risk Credit Unions\n\n\n       \xe2\x80\xa2 For Federally Insured State Credit Union (FISCU): Is there evidence of timely and\n         adequate monitoring/plans by State Supervisory Authority (SSA) and\n         NCUA in order to ensure credit union problems are resolved in timely manner.\n       \xe2\x80\xa2 Overall assessment of credit union progress.\n\nB. Business Resumption Contingency Plans:\n       \xe2\x80\xa2 Does credit union have a written contingency plan.\n       \xe2\x80\xa2 Does contingency plan meet guidance provided by agency.\n       \xe2\x80\xa2 What evidence of examiner assessment of plan (is plan reasonable).\n       \xe2\x80\xa2 Does agency have plan to monitor the credit union to ensure that if necessary the plan\n          will be implemented if needed in a timely manner.\n       \xe2\x80\xa2 Does plan address liquidity and how was this assessed by the agency.\n       \xe2\x80\xa2 For FISCU: Is there evidence of timely monitoring and action by SSA and NCUA.\n       \xe2\x80\xa2 What is overall assessment of adequacy of contingency plan.\n\nWe performed the following procedures to meet our review objectives:\n      \xe2\x80\xa2 Interviewed certain Central Office and regional office staff;\n      \xe2\x80\xa2 Reviewed Central Office and regional guidance and procedures; and\n      \xe2\x80\xa2 Reviewed sample documentation for 42 credit unions (21 federal credit unions and 21\n          federally insured state chartered credit unions). Our review was limited to\n          examination and contact documentation available in the regional offices. We reviewed\n          follow-up documentation, including information update forms and contact checklist\n          information, prepared by staff. We also reviewed credit union Y2K contingency plans\n          and examiner-prepared contingency plan review checklists when available.\n\n\n\n\n                                    OBSERVATIONS\n\nNCUA has reported that 99.3 percent of the nation\xe2\x80\x99s federally insured credit unions have finished\nrepairing, testing and verifying their computer systems to ensure they can process transactions\nsmoothly after January 1, 2000. To determine credit union readiness agency examiners have\nvisited every federal credit union twice and many will have a third visit before the end of 1999.\nNCUA examiners spent over 90,000 hours onsite conducting Y2K readiness examinations. We\nfound that supervisory contacts are being made in accordance with agency guidance and staff are\nfollowing supervision guidance.\n\nCredit unions rated unsatisfactory and needs improvement have declined dramatically in 1999. As\nof August 31, 1999, NCUA reported that only .5 percent of the credit unions are rated\nunsatisfactory or needs improvement. The results of our review found that, in most instances,\nfollow-up contacts were made as required at high risk credit unions in a timely manner and in\naccordance with agency guidance.\n\n\n\n                                                 3\n\x0c                                Year 2000 Progress of High Risk Credit Unions\n\n\nIn our review of a small sample of credit unions rated low risk, we found that credit unions are\nbeing rated in a consistent manner in accordance with agency guidance. At the time of our\nreview, follow-up at satisfactory rated credit unions was under discussion.\n\nNCUA requires that credit unions prepare Business Resumption Contingency Plans (BRCP). We\nfound that BRCPs were prepared by the credit unions in our review sample. The examiner\xe2\x80\x99s\nreview documentation indicated most BRCPs were reasonable and acceptable. However, it was\ndifficult to determine the degree of analysis performed by the examiner in determining the\nacceptability of the plans. At the time of our review, not all BRCPs had been tested. In some\ninstances, testing of the BRCPs was to be done in the third and fourth quarters of 1999. Follow-\nup plans regarding analysis and testing of BRCPs were in the discussion and developmental\nstages.\n\n\n                                                                    We reviewed documentation\n    Follow up at Credit Unions Rated Unsatisfactory                 for 33 credit unions risk rated\n          or Needs Improvement - High Risk                          high risk. We found that in\nmost instances contacts were made as required at high risk credit unions in a timely manner and in\naccordance with agency guidance. Overall we found that staff are following guidance regarding\nhigh risk credit unions in regards to appropriate and timely follow-up.\n\nHigh risk credit unions, at the time of our review, included credit unions that were not\nprogressing toward compliance and in the examiner\xe2\x80\x99s judgment, management at these institutions\ndid not have a sufficient understanding of the problem or its consequences. High risk credit\nunions included those rated as unsatisfactory or needs improvement according to the criteria\nprovided by the Federal Financial Institutions Examination Council.\n\nAs recently as July 28, 1999, the agency indicated there were 63 unsatisfactory (high risk) and\n830 needs improvement (medium risk) rated credit unions. As of August 31, 1999 the agency\nreported 7 credit unions rated unsatisfactory and 50 credit unions rated needs improvement.\nThis represents .5 percent of the 10,753 credit unions. As of August 31, 1999, less than 1 percent\nof the credit unions were rated unsatisfactory or needs improvement in the two regions we\nvisited.\n\nNCUA is a part of the Federal Financial Institution Examination Council (FFIEC). The FFIEC\ndeveloped a work program for use by the regulators in evaluating the Y2K status of financial\ninstitutions. In addition to FFIEC guidance, the Central Office and regional offices provided\ninstructions and clarifications regarding risk ratings1. Risk rating definitions are open to some\n\n\n1\n  Examiners assign overall risk ratings of High, Medium, and Low to credit unions based on examiner judgment of\nthe credit union\xe2\x80\x99s progress. \xe2\x80\x9cUse high, medium, or low risk categorization based on examiner judgment of the\ncredit union\xe2\x80\x99s progress\xe2\x80\xa6 . Credit unions rated as low risk are clearly demonstrating their progress towards\ncompliance both in terms of systems remediation and interfaces with third parties. Those credit unions rated as\nhigh risk are not progressing towards compliance and in the examiner\xe2\x80\x99s judgment, management at these\ninstitutions does not have a sufficient understanding of the problem or its consequences. Credit unions rated as\n\n\n                                                       4\n\x0c                                 Year 2000 Progress of High Risk Credit Unions\n\n\ninterpretation and examiner judgment in assigning the ratings to individual credit unions. Credit\nunion examiners follow the FFIEC program including completion of a checklist and overall risk\nrating during the credit union examination or Y2K contact.\n\nNCUA has provided guidance for monitoring credit union compliance progress in meeting\nremaining milestones of June 30, 1999 testing; July 31, 1999 substantially complete\nimplementation; and September 30, 1999 final implementation. Field staff and regional offices\nperiodically report to the Central Office progress being made by credit unions.\n\nWe found regional management continuously communicates with examiners and staff regarding\nY2K through phone calls, written guidance, memos, and status reports. One example is the\nRegion I monthly Y2K Watchlist report sent to appropriate field staff. In addition the agency has\nprovided guidance and clarification regarding risk rating assessments in bulletins and\nmemorandums. Regions received input from examiners in developing risk rating guidelines. In\nJune 1999, new criteria and clarification regarding risk assessments was provided to examiner\nstaff. Credit unions deemed unsatisfactory were high risk rated; credit unions rated needs\nimprovement were medium risk rated; and credit unions rated satisfactory were rated low risk\nrated. Examiners were required to upload e-forms by July 31, 1999, if there were any credit\nunions needed to be re-rated to unsatisfactory or needs improvement based on the new criteria.\n\nWhen a credit union is identified as making unsatisfactory progress (high risk) an on-site contact\nwas conducted by July 31, 1999, and monthly thereafter until such time as the risk rating\nimproves to needs improvement or satisfactory. When a credit union is identified as needs\nimprovement an examiner will conduct monthly or quarterly on-site or off-site contacts as\ndetermined by policy until such time as the credit union is rated as making satisfactory progress.\nA satisfactory (low risk) credit union will receive normal supervision as determined by regional\npolicy.\n\nExaminers are required to submit a Y2K update to NCUA for the credit union via an electronic\nupdate form (e-form) at the time of each examination or contact. A part of the e-form requires\nthe examiner to risk rate the credit union high, medium, or low based on the examiner\xe2\x80\x99s judgment\nof the credit union\xe2\x80\x99s progress in becoming Y2K ready. The e-form update information; examiner\nprepared FFIEC checklist (Section 6 form) information; and credit union prepared quarterly status\nY2K reports are used by the regional office and Central Office in determining overall Y2K\nreadiness for credit unions. Regional management addresses status of FICUs in periodic reports\nto the Central Office.\n\nThe regional division of supervision (DOS) conducts monthly reviews of reports and update\ninformation from examiners to determine credit union progress, to ensure contacts are made in a\ntimely manner, and that examiners take needed corrective action. DOS conveys information\nregarding credit union status to staff through memos and reports. During the past two examiner\ngroup meetings, management reviewed ratings and status with examiners and supervisory\nexaminers for all credit unions.\n\nmedium risk fall somewhere between the other two ratings, indicating a need for supervisory attention but not to a\ndegree that necessitates intervention on NCUA\xe2\x80\x99s part.\xe2\x80\x9d (NCUA Bulletin No. 13610.02(REV), dated July 27, 1998)\n\n\n                                                        5\n\x0c                            Year 2000 Progress of High Risk Credit Unions\n\n\n\n\nThe agency and state supervisory authorities (SSAs) utilize administrative actions and Regional\nDirector Letters (RDLs) to ensure compliance and readiness at credit unions. As milestones are\npassing and approaching quicker, regions are increasingly using published Letters of\nUnderstanding and Agreement to resolve Y2K compliance issues. According to Central Office\nguidance, credit unions must be risk rated unsatisfactory or needs improvement (high risk and\nmedium risk respectively) if there is outstanding Y2K-related administrative action. Generally,\nhowever, a credit union does not have to be risk rated less than satisfactory if the outstanding\nadministrative action addresses non-Y2K issues. It is our understanding all high risk credit unions\nhave been issued administrative \xe2\x80\x9ccompel\xe2\x80\x9d actions. In addition, all high risk rated credit unions\nhad an on-site contact in July and will continue to have monthly on-site contacts until the credit\nunion resolves the problems and is rated medium or low.\n\nOur sample included 14 credit unions under Y2K related administrative actions that were rated as\nlow risk. Under guidance sent from the Central Office in June 1999, these credit unions should\nhave been reclassified to medium or high risk by July 31, 1999 if sufficient progress had not been\naccomplished. As of July 31, 1999, sufficient progress had been made in 13 of the 14 cases to\nwarrant a low risk rating. The remaining credit union was rated medium risk because of an\noutstanding Regional Director Letter.\n\nNCUA regions review samples of federally insured state chartered credit unions (FISCU)\nquarterly reports to ensure that credit unions are becoming Y2K compliant in a timely manner.\nSSAs determine when on-site contacts at FISCUs are performed or needed. Regions select 3\npercent of FISCU prepared quarterly status reports for review. The supervisory examiner selects\nthe FISCU report to be reviewed. Examiners perform the review and DOS monitors action by\nexaminer. Regional management has met and is continuing to meet on a periodic basis with SSAs\nto discuss common problems. In addition, DOS sends monthly reports to SSAs regarding FISCU\nrisk ratings, review results, and progress of FISCUs.\n\n\n\n         Follow up at Credit Unions Rated                     The vast majority of credit unions,\n              Satisfactory - Low Risk                         99.5 percent as of August 31, 1999,\n                                                              are reported by NCUA as making\nsatisfactory progress in becoming Y2K ready. Accordingly, these credit unions are rated low risk\nand receive a limited amount of resources in monitoring. To determine if risk ratings are being\napplied on a consistent and reasonable basis we reviewed a small sample of nine credit unions\nrated satisfactory with assets in excess of $50 million. Our review of sample documentation\nindicated that, overall, examiners addressed problems noted and identified plans to resolve the\nproblems.\n\nWe found that there are limited plans to monitor credit unions reported as being Y2K compliant.\nHowever, both regions plan to perform some follow-up work to ensure that credit unions rated\nsatisfactory are in fact compliant. At the time of our review, Region I management had prepared\npreliminary draft plans regarding on-site quality control reviews at credit unions. DOS analysts\n\n\n                                                 6\n\x0c                            Year 2000 Progress of High Risk Credit Unions\n\n\nin conjunction with SSAs were planning to perform on-site contacts in September at selected\ncredit unions. If problems were noted in September, the on-site review program would be\nexpanded in October with additional follow-up by select Y2K group specialists.\n\nRegion III indicated that some work in satisfactory rated credit unions would be performed\ntowards the end of 1999. The plans were incomplete. However, the region planned to visit or be\nin contact with all credit unions during the fourth quarter 1999.\n\n\nBusiness Resumption Contingency Plans                    Credit unions are required to complete a\n                                                         Business Resumption Contingency Plan\n(BRCP) that is comprehensive and unique to the credit union. The plan should be designed to\nmitigate risks associated with (1) the failure to successfully complete renovation or\nimplementation of its Year 2000 readiness plan (remediation contingency plan) and (2) the failure\nof systems at critical dates (business resumption contingency planning). The BRCP process\nshould include establishing organizational planning guidelines, completing a business impact\nanalysis, developing a contingency plan that establishes timelines, and designing a method of plan\nvalidation. The BRCP was to be completed by no later than June 30, 1999. Credit union testing\nof the BRCP may be performed in the third and fourth quarters of 1999.\n\nWe found that credit unions are developing BRCPs as required. In addition we found that the\nvast majority of credit unions in our review sample had acceptable Business Resumption\nContingency Plans as determined by examiner review. The chart below shows how the 42 credit\nunions in our sample performed in key BRCP criteria at the time of our review.\n\nBusiness Resumption Contingency Plan (BRCP) Criteria:                             Yes:   No:\nDoes the credit union have a written BRCP?                                        41     1\nIs the BRCP reasonable and acceptable for the credit union\xe2\x80\x99s size and             39     3\ncomplexity?\nHas the credit union developed a Core Systems Contingency Plan?                   39     3\nIs the Core Systems Contingency Plan reasonable and acceptable for the credit     39     3\nunion\xe2\x80\x99s size and complexity?\nHas the credit union performed a Business Impact Analysis?                        33     9\nIs the Business Impact Analysis reasonable and acceptable for the credit          33     9\nunion\xe2\x80\x99s size and complexity?\nHas the credit union validated (tested) the BRCP?                                 26     16\nIs the Validation reasonable and acceptable for the credit union\xe2\x80\x99s size and       26     16\ncomplexity?\n\nThe examiner analysis documentation available for review included a detailed database BRCP\nchecklist. Our review did not determine the depth of analysis performed by the examiner in\ndetermining the adequacy of the plans or testing performed by the credit union.\n\nExaminers were to ensure automated federal credit unions had BRCPs including liquidity plans,\nand were to review the plans by July 31, 1999. If the plans were inadequate appropriate\n\n\n                                                 7\n\x0c                             Year 2000 Progress of High Risk Credit Unions\n\n\nadministrative action was to be taken. Examiners prepare a BRCP checklist maintained in an\nagency database to document adequacy of BRCPs. Database information and update information\nis monitored and analyzed by the regional DOS. Quarterly updated information is provided to the\nCentral Office with the first quarterly report for June 30, 1999. DOS in each region will identify\nas needed areas for further action.\n\nAs a part of contingency plans, credit unions are establishing lines of credit with corporate credit\nunions. Regional managements are meeting with corporates to discuss emergency lines of credit\nand cash services. Satety and soundness issues regarding corporates are exchanged between the\nCentral Office and regional management.\n\nRegional plans to ensure BRCP plans are implemented in a timely manner are incomplete. In\nRegion I, bi-weekly conference calls between the regional office and the group Y2K specialists\nare held to determine status and areas that need additional work. Future plans for Region I are\nfor DOS to provide analysis guidance to staff and to perform on-site and off-site reviews of\nBRCPs to determine reasonableness of plans and to assess examiner analysis of the plans. We\nwere informed in Region III that DOS does not currently plan to perform on or off-site\nverification of the examiner\xe2\x80\x99s work or to validate, verify, or review credit union BRCPs due to\nresource limitations.\n\n\n\n\n                      MATTERS FOR CONSIDERATION\nThe OIG is suggesting the following actions as matters for consideration by the NCUA Board and\nagency management:\n\n\xe2\x80\xa2 NCUA should develop plans to test actual status of a sample of credit unions making\n  satisfactory progress (low risk rated).\n\n\xe2\x80\xa2 NCUA should develop appropriate staff guidance for follow-up by examiners at credit unions\n  for analysis of the adequacy of credit union Business Resumption Contingency Plans and to\n  ensure timely implementation of the plans as needed.\n\n\xe2\x80\xa2 NCUA should develop plans and guidance for staff for the review of testing of credit union\n  Business Resumption Contingency Plans to ensure that the testing plans are reasonable and\n  that the testing has been successfully performed.\n\n\n\n\n                                                  8\n\x0c'